issue2550919 - Anti-bot signup using 4 second delay

Took the code by erik forsberg and massaged it into the core.

So this is no longer needed in the tracker.

Updated devel and responsive trackers to remove timestamp.py and
update input field name.

Docs, changes and tests complete. Hopefully these tracker changes
won't cause an issue for other tests.

Author: rouilj

CHANGES.txt

@@ -22,6 +22,10 @@ Features:
   (Ralf Schlatterbeck)
 - issue2550926 - Original author adding a second message shouldn't set
   status to 'chatting'. See upgrading.txt for details. (John Rouillard)
+- issue2550919 - Anti-bot signup using 4 second delay. New config.ini
+  param [web] registration_delay must be set to 0 if template
+  user.register.html is not modified.  See upgrading.txt for details.
+
 Fixed:
 
 - issue2550996 - Give better error message when running with -c

doc/upgrading.txt

@@ -25,7 +25,7 @@ Migrating from 1.6.X to 2.0.0
 
 Upgrade tracker's config.ini file
 --------------------------------------
-Once you have installed the new roundup, use:
+Once you have installed the new roundup, use::
 
   roundup-admin -i /path/to/tracker updateconfig newconfig.ini
 
@@ -41,11 +41,14 @@ Python 3 support
 Many of the ``.html`` and ``.py`` files from Roundup that are copied
 into tracker directories have changed for Python 3 support.  If you
 wish to move an existing tracker to Python 3, you need to merge in
-those changes.  If your tracker uses the ``anydbm`` or ``mysql``
-backends, you also need to export the tracker contents using
-``roundup-admin export`` running under Python 2, and them import them
-using ``roundup-admin import`` running under Python 3, as for a
-migration to a different backend.  If using the ``sqlite`` backend,
+those changes. Also you need to make sure that locally created python
+code in the tracker is correct for Python 3.
+
+If your tracker uses the ``anydbm`` or ``mysql`` backends, you also
+need to export the tracker contents using ``roundup-admin export``
+running under Python 2, and them import them using ``roundup-admin
+import`` running under Python 3. This is detailed in the documention
+for migrating to a different backend.  If using the ``sqlite`` backend,
 you do not need to export and import, but need to delete the
 ``db/otks`` and ``db/sessions`` files when changing Python version.
 If using the ``postgresql`` backend, you do not need to export and
@@ -65,6 +68,40 @@ back to using python 2. (Note going back to Python 2 will require
 the same steps as moving from 2 to 3 except using Python 3 to perform
 the export.)
 
+Rate Limit New User Registration
+--------------------------------
+
+The new user registration form can be abused by bots to allow
+automated registration for spamming. This can be limited by using the
+new ``config.ini`` ``[web]`` option called
+``registration_delay``. The default is 4 and is the number of seconds
+between the time the form was generated and the time the form is
+processed.
+
+If you do not modify the ``user.register.html`` template in your
+tracker's html directory, you *must* set this to 0. Otherwise you will
+see the error:
+
+  Form is corrupted, missing: opaqueregister.
+
+If set to 0, the rate limit check is disabled.
+
+If you want to use this, you can change your ``user.register.html``
+file to include::
+
+ <input type="hidden" name="opaqueregister" tal:attributes="value python: utils.timestamp()">
+
+The hidden input field can be placed right after the form declaration
+that starts with::
+
+   <form method="POST" onSubmit="return submit_once()"
+
+If you have applied Erik Forsberg's tracker level patch to implement
+(see: https://hg.python.org/tracker/python-dev/rev/83477f735132), you
+can back the code out of the tracker. You must change the name of the
+field in the html template to ``opaqueregistration`` from ``opaque``
+in order to use the core code.
+
 PGP mail processing
 -------------------
 
@@ -120,8 +157,8 @@ or::
 Update userauditor.py to restrict usernames
 -------------------------------------------
 
-A username can be created with embedded commas and &lt; and &gt;
-characters. Even though the &lt; and &gt; are usually escaped when
+A username can be created with embedded commas and < and >
+characters. Even though the < and > are usually escaped when
 displayed, the embedded comma makes it difficult to edit lists of
 users as they are comma separated.
 

roundup/cgi/actions.py

@@ -6,6 +6,7 @@
 from roundup.cgi import exceptions, templating
 from roundup.mailgw import uidFromAddress
 from roundup.rate_limit import Gcra, RateLimit
+from roundup.cgi.timestamp import Timestamped
 from roundup.exceptions import Reject, RejectRaw
 from roundup.anypy import urllib_
 from roundup.anypy.strings import StringIO
@@ -1036,7 +1037,7 @@ def handle(self):
             return
         return self.finishRego()
 
-class RegisterAction(RegoCommon, EditCommon):
+class RegisterAction(RegoCommon, EditCommon, Timestamped):
     name = 'register'
     permissionType = 'Register'
 
@@ -1050,6 +1051,15 @@ def handle(self):
         if self.client.env['REQUEST_METHOD'] != 'POST':
             raise Reject(self._('Invalid request'))
 
+        # try to make sure user is not a bot by checking the
+        # hidden field opaqueregister to make sure it's at least
+        # WEB_REGISTRATION_DELAY seconds. If set to 0,
+        # disable the check.
+        delaytime = self.db.config['WEB_REGISTRATION_DELAY']
+
+        if delaytime > 0:
+            self.timecheck('opaqueregister', delaytime)
+        
         # parse the props from the form
         try:
             props, links = self.client.parsePropsFromForm(create=1)

roundup/cgi/templating.py

@@ -35,6 +35,8 @@
 
 from .KeywordsExpr import render_keywords_expression_editor
 
+from roundup.cgi.timestamp import pack_timestamp
+
 import roundup.anypy.random_ as random_
 try:
     import cPickle as pickle
@@ -3090,6 +3092,9 @@ def Batch(self, sequence, size, start, end=0, orphan=0, overlap=0):
     def anti_csrf_nonce(self, lifetime=None):
         return anti_csrf_nonce(self.client, lifetime=lifetime)
 
+    def timestamp(self):
+        return pack_timestamp()
+    
     def url_quote(self, url):
         """URL-quote the supplied text."""
         return urllib_.quote(url)

share/roundup/templates/classic/html/user.register.html

@@ -12,6 +12,8 @@
       enctype="multipart/form-data"
       tal:attributes="action context/designator">
 
+<input type="hidden" name="opaqueregister"
+	 tal:attributes="value python: utils.timestamp()">
 <table class="form">
  <tr>
   <th i18n:translate="">Name</th>

share/roundup/templates/devel/extensions/timestamp.py

@@ -18,7 +18,9 @@
       enctype="multipart/form-data"
       tal:attributes="action context/designator">
 
-<input type="hidden" name="opaque" tal:attributes="value python: utils.timestamp()" />
+<input type="hidden" name="opaqueregister"
+	 tal:attributes="value python: utils.timestamp()">
+
 <table class="form">
  <tr>
   <th i18n:translate="">Name</th>

share/roundup/templates/devel/html/user.register.html

@@ -14,6 +14,8 @@
         name ="itemSynopsis"
         enctype ="multipart/form-data"
         action ='{{  context.designator() }}'>
+    <input type="hidden" name="opaqueregister"
+           value="{{ utils.timestamp() }}" >
     <table>
       <tr>
         <th>{{ i18n.gettext('Name')|u }}</th>

share/roundup/templates/jinja2/html/user.register.html

@@ -19,6 +19,8 @@
 
 <tal:block tal:condition="editok">
 <form method="POST" onSubmit="return submit_once()" enctype="multipart/form-data">
+<input type="hidden" name="opaqueregister"
+       tal:attributes="value python: utils.timestamp()" >
 <input type="hidden" name=":template" value="register">
 <input type="hidden" name=":required" value="username">
 <input type="hidden" name=":required" value="password">